How Secure Is Your Android VPN App?

A research paper [PDF] from the University of California and Commonwealth Scientific and Industrial Research Organisation (CSIRO) analyzed a group of Android VPN apps. They found that these particular apps had privacy and security issues.

More people are starting to realize the benefits of using a virtual private network. But without a lot of tech knowledge, it’s easy to assume that all VPNs are created equal. They are not, and this analysis shows this. Additionally, it’s rare for a VPN to be free and protect user privacy. VPN services need to make money to continue operating. Some companies offer a free app while collecting user data to sell to advertisers.

In summary, a VPN protects a user’s IP address as they browse the web. Web traffic passes through the VPN server instead of going directly to the user. The research team analyzed over 280 Android VPN apps, examining them for privacy and security issues. Their results show that many free and premium VPN apps on Android are insecure.

VPN App Chart

Key Findings

67% of Android VPN apps say they will protect user privacy. 75% of those apps use third-party tracking libraries, and 82% asked for system permissions like accessing SMS messages.

37% of these apps had over 500k downloads, with 25% had at least 4-star ratings. Over 38% of the apps had signs of malware as shown on VirusTotal.

18% of the apps use tunneling protocols without encryption.

66% of these apps didn’t tunnel DNS traffic.

18% of the VPN apps didn’t reveal “the entity hosting the terminating VPN server,” while 16% of the apps might end up forwarding traffic using peer-to-peer forwarding.

16% of the VPN apps deployed non-transparent proxies that modified HTTP traffic, such as injecting or removing headers. Two apps injected JavaScript for ad and tracking purposes.

Four of the apps performed TLS interception

As you can see, these VPN apps aren’t telling the full truth when they claim to protect their users’ privacy and security. The researchers say that Google needs to reevaluate the VPN permission model on Android. For example, the BIND_VPN_SERVICE permission breaks Android’s sandboxing.

These permissions are required for the LiquidVPN app to work. It can run on startup so that you are automatically connected to a VPN whenever possible. And it needs network access and connections to tunnel your web traffic to our servers. LiquidVPN is not free but you get what you pay for. If your interested try LiquidVPN today.